ex-NSA Hacker Discloses macOS High Sierra Zero-Day Vulnerability

Your Mac computer running the Apple’s latest High Sierra operating system can be hacked by tweaking just two lines of code, a researcher demonstrated at the Def Con security conference on Sunday.

Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually “click” objects without any user interaction or consent.

Wardle described his research into “synthetic” interactions with a user interface (UI) as “The Mouse is Mightier than the Sword,” showcasing an attack that’s capable of ‘synthetic clicks’—programmatic and invisible mouse clicks that are generated by a software program rather than a human.

macOS code itself offers synthetic clicks as an accessibility feature for disabled people to interact with the system interface in non-traditional ways, but Apple has put some limitations to block malware from abusing these programmed clicks.

Wardle accidentally discovered that High Sierra incorrectly interprets two consecutive synthetic mouse “down” event as a legitimate click, allowing attackers to programmatically interact with security warnings as well that asks users to choose between “allow” or “deny” and access sensitive data or features.

“The user interface is that single point of failure,” says Wardle. “If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms.”

Although Wardle has not yet published technical details of the flaw, he says the vulnerability can potentially be exploited to dump all passwords from the keychain or load malicious kernel extensions by virtually clicking “allow” on the security prompt and gain full control of a target machine.

Wardle said that he found this loophole accidentally when copying and pasting the code and that just two lines of code are enough to completely break this security mechanism.

Unlike earlier findings, Wardle didn’t report Apple about his latest research and choose to publicly reveal details of the zero-day bug at DefCon hacker conference.

“Of course OS vendors such as Apple are keenly aware of this ‘attack’ vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately, they failed,” says Wardle.

However, the Apple’s next version of macOS, Mojave, already has mitigated the threat by blocking all synthetic events, which eventually reduces the scope of accessibility features on applications that legitimately use this feature.

Subscribe to PHI via Email

Enter your email address to subscribe to PHI and receive notifications of new posts by email.

Join 3,288 other subscribers

Email Address

PROFESSIONAL HACKERS INDIA

We are proud to offer premier information security updates, IT updates, Core Tools And Techniques across the globe. Our mission is to make the internet more secure, more trendy, more aware and more reliable.